Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 84(4) port fwd trouble

Just got a new ASA and is prepping it before throwing it out live.

But i cant seem to get the forwarding to function properly.
I have followed http://www.gregledet.net/?p=529  and read to numerous topics but i cant seem to figure outwhy it aint working.

I have a computer on the outside interface on ..224.1
its connected to ..224.20 (outside)
Inside is 192.168.0.1

another computer with a web server on 192.168.0.5:80 is connected to inside.

Tested the webserver on the inside.

I can ping from the webserver to the ..224.1.

and from the ..224.1 to ..224.20

The log says:

Source ..224.20

Source port 1339
dest port 80

descr.  TCP access denioed by ACL from ..224.1/1339 to outside:..224.20/80

sh run says:

ASA Version 8.4(4)

##EDITED OUT##

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ..224.20 255.255.255.128

!

interface Vlan5

no forward interface Vlan1

no nameif

security-level 50

ip address dhcp

!

ftp mode passive

clock timezone GMT 0

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.0.13

name-server 194.19.2.11

name-server 194.19.3.11

##EDITED OUT##

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Webserver

host 192.168.0.5

access-list outside_access_in extended permit tcp any object Webserver eq www

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network Webserver

nat (inside,outside) static interface service tcp www www

route outside 0.0.0.0 0.0.0.0 ..224.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

##EDITED OUT##

console timeout 0

management-access inside

vpn-addr-assign local reuse-delay 5

dhcpd auto_config outside

!

dhcpd address 192.168.0.100-192.168.0.130 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Everyone's tags (4)
1 REPLY
New Member

ASA 84(4) port fwd trouble

as always shoot the admin (me)

I logged in with asdm and moved the NAT rule to the top above allow the generic allow all outside.

Everything worked.

Doh!

310
Views
0
Helpful
1
Replies
CreatePlease login to create content